Privacy, security and GDPR

The Privacy, security and GDPR page allows you to configure Ortto’s global security, privacy, and General Data Protection Regulation (GDPR) settings.

Access the Privacy, security and GDPR page

To access the Privacy, security and GDPR page, navigate to Settings  Privacy security & GDPR.

On this page, you can configure the following privacy and security settings:

If you change any of these field values (below), click Save towards the end of the page to save all changes you have made to the page.

App authentication

The App authentication section allows you to enforce whether or not your Google Account or Okta-based credentials are required to sign in to your Ortto account.

To configure this feature, select from either of the following options:

  • Any authentication method ( Default ) - All users can sign in with either their Google or Microsoft account, or with their own email address and password.
  • Google Single-Sign-On enforced -- All users can only sign in to Ortto using their Google account.
  • Learn more about this feature in Microsoft single-sign-on for Ortto.
  • Okta Single-Sign-On enforced (requires additional setup in OKTA) ( Limited availability ) — All users can only sign in to Ortto using credentials configured through an Okta domain. This feature is only available to Ortto customers on Enterprise plans. Learn more about how to configure this feature in Okta single-sign-on for Ortto.
    Ortto’s Okta integration enforces users to sign in to Ortto using a service provider-initiated (SP-initiated) single sign-on (SSO) flow. This means that users will only be able to sign in to Ortto (service provider) from the Ortto sign in page using Okta credentials.
    The Okta SP-initiated SSO is bound to the Ortto account (instance) in which it was configured. Other Ortto accounts can be configured with alternative authentication methods (such as Google SSO).

WARNING: If you choose this option and proceed to configure your Ortto account to use Okta single sign-on (SSO), then this is an irreversible process, and you will no longer be able to revert your Ortto account to using the Any authentication method or Google Single-Sign-On enforced methods for Ortto app authentication.

Google reCAPTCHA

The Google reCAPTCHA section allows you to incorporate Google’s reCAPTCHA feature into Ortto’s capture widgets used on your business' site/s as data sources integrated with Ortto.

To configure Google reCAPTCHA in your Ortto account:

  1. Register your business' site/s through Google reCAPTCHA, e.g. via its Admin Console, choosing reCAPTCHA v2 (and one of its appropriate options) as the reCAPTCHA type.
  2. After the registration process is completed (e.g. on Google reCAPTCHA’s Adding reCAPTCHA to your site page):
    1. Click COPY SITE KEY and paste this into the Site key field in this section of the Ortto interface.
    2. Click COPY SECRET KEY and paste this into the Ortto interface’s Secret key field.

Two-step authentication (2FA)

The Two-step authentication (2FA) section allows you to enforce whether or not Ortto users are required to use two-factor authentication/verification (configurable through their Profile settings) to sign in to your Ortto account. Two-factor authentication/verification is also known as multi-factor authentication (MFA).

To configure this feature, select from either of the following options:

  • Optional ( Default ) - All Ortto users can sign in to Ortto with or without the need to use two-factor verification.
  • Required - All Ortto users must use two-factor verification sign in to Ortto. Two-factor verification is configurable for each user through each Ortto their Profile settings.


  • If 2FA is set as required for all users in here (in Settings:  Privacy security and GDPR, but have has not yet been set it at account level (under Profile settings), then 2FA will automatically be enabled in each users' Profile settings.
  • If you have 2FA configured but sign in with a Google account, then you may not be prompted for 2FA during the sign-in process, since Google’s own two-step verification feature is utilized instead.

Tracking opt-in form

The Tracking opt-in form allows you to enable or disable Ortto’s user-driven cookie-based tracking feature, which is designed to meet the "General Data Protection Regulation" (GDPR).

The GDPR is a European Union (EU) protection framework that applies to:

  • companies and entities in the EU who handle personal data as a part of their activities, as well as
  • companies and entities outside of the EU who handle the personal data of EU data subjects (individuals residing in the EU).

As part of the GDPR, any software application (like Ortto) that tracks personal data, must allow the user to opt-in to accepting the software tracking their activities through the web application or browser.

Since Ortto uses cookies to track personal data, then to meet GDPR requirements, you can enable Ortto’s tracking opt-in form to appear on your business' site/s.

Policies, documents and GDPR addendum

Ortto’s Customer General Data Protection Regulation (GDPR) addendum can be downloaded from this site.

Data hosting

This section identifies where your data is being hosted depending on the region you chose at signup: United States (default), European Union, or Australia.

Learn more about data hosting.

If you interact with Ortto's API, the region in which your data is hosted in also determines which API endpoint you need to use, as there is a specific endpoint for each region. Learn more in our Developer guide.